www.pwc.co.uk/riskassuranceUK Corporate GovernanceCode: Raising the bar onrisk managementWhy this is not business as usualand what you need to do to complySeptember 2014“The FRC’s amendments to the UK Corporate Governance Code andDirectors Guidance (the Code) are intended to raise the baron the way organisations think about, manage and report on theirprincipal risks and culture.”Simon Perry, partner, PwC
What’sonyourmind?The revised Code will intensify the spotlight oneffective risk management. Do you fully understandits requirements and are you confident that yourcurrent system will satisfy them?The revised Code is intended to drive astep-change in the way risk is managedand improve the insight that can bederived from related disclosures inannual reports and accounts. The FRC isclear that this is not business-as-usual;however, our conversations tell us manyorganisations may have misinterpretedthis, underestimating the extent of thechange that may be required to satisfythe intent. Are you one of them?The revised Code remains high level,documenting principles-based guidancespecifically requiring you to: confirm that a robust system of riskmanagement has been developedand is fully integrated into normalmanagement and governanceprocesses (e.g. business strategy andplanning) define and articulate your appetitefor risk in key areas describe your principal risks andhow they are being managed confirm the identification andassessment e.g., via techniques suchas stress and reverse stress testing,of all principal risks review and confirm the ongoingeffectiveness of key operational,financial and compliance controls communicate, incentivise, embedand measure behaviours that create astrong risk and control environmentand confirm the existence of anappropriate culture consider how much assurance youneed over the risk managementprocess, how it will be objectivelyobtained and what should becommunicated externallyThe revised Code inevitably increasesthe focus on risk management and alsoincludes a recommendation that groupauditors provide external assurance overthe completeness and material accuracyof the statements you make.Most large organisations have some kindof system for managing risk, althoughmany do not meet the criteria to bedescribed as enterprise risk management(ERM), i.e., providing a consistent viewof risk that is aligned and integratedwith strategic decision making andreflecting a defined risk appetite.
UK Corporate Governance Code: Raising the bar on risk management“Good risk management isnot a compliance activity,but a fundamental driverof value and competitiveadvantage”For you to confidently providethe required risk information andassurances, you need to be sure thatyour ERM system is fit for purpose andprovides a complete and accurate viewof your risk profile; if it does not, yourisk being exposed by increased scrutinyfrom your stakeholders. How confidentare you?To comply with the proposedamendments, boards will need toconsider a number of questions,including: How can we practically defineand articulate our risk appetite? What does a robust ERM systemlook like and how do we comparewith our peers? Have we identified and assessedall of our principal risks? How do we promote the necessarybehaviours and measure whetherthe right culture is in place? What form should the requireddisclosures take?Our pointof viewIt’s important to understand thedifference between risk disclosure andrisk management. You need to do bothwell. For audit committees, the revisedCode means deriving certainty that ERMhas been sufficiently developed andembedded; that they ‘can walk the talk’.The following key ERM componentswill likely receive scrutiny and requireenhancement.Risk appetite – are you bitingoff more than you can chew?Even in financial services, where riskappetite has been well defined for somerisk categories for years, this is an areawhich is relatively immature. While a lotof business activity and theory has beentouted, organisations generally struggleto practically define and articulate theirrisk appetite in a way that adds value.Some executives will argue that riskappetite does not need to be formallydefined, being inherently consideredas part of the decision making process;to an extent this is true, but this viewis often biased by factors such as areluctance to address conflictingopinions of executives and NEDS orto invest the time required to achievesuccess. With the right guidance, youcan define clear, measurable parametersaligned to your purpose, vision andvalues, that provide the necessary basisfor driving enhanced, more consistentrisk decision making.Effective monitoring – managingcrises is missing the point!The FRC guidance reflects the realitythat effective risk monitoring is aprerequisite to ensuring continuousbusiness operation in line with desiredappetite levels. In the absence of areliable monitoring system, any breachesof defined appetite may be identified toolate. While a strong capability to reactto crises is admirable, this is not thepoint of risk management; organisationsneed to focus on avoiding them in thefirst place and better capitalising onopportunities. The Code requirementto not only monitor risk, but also deriveongoing satisfaction that key controlsare functioning effectively is a bigask and one that you need to respondto. Indeed, some forward-lookingorganisations are starting to exploreand capitalise on technology-drivenopportunities, harnessing the explodingdata environment to generate genuine,leading risk awareness and insight.The right culture – haveyou forgotten something?The importance of promoting a strongculture aligned to organisational valuesin order to successfully embed riskmanagement is often overlooked, butis one of the key reasons why ERM failsto deliver on expectations. Embeddingan appropriate culture demands morethan undertaking employee surveysand tracking resulting scores, it meansdefining and embedding the requiredbehaviours and monitoring their driversto provide insight on their effectiveness.For example, helping to understand andanswer questions such as, ‘how do weknow that an apparent one-off issue isnot a deeper, systemic cultural problemdue to a reluctance to challenge?’ Suchan understanding will also provide abasis for reporting what is being doneto instil the required behaviours andmeasure performance.Providing assurance – do youhave the required confidence?The FRC clearly wants to discourage theuse of ‘boilerplate’ language that canmake it impossible to tell how good anorganisation is at managing risk. With anexpectation of more specific and detaileddisclosures, eg, around continuingcontrol effectiveness, directors willwant to have confidence in the accuracyof their statements. In support of this,we expect many will seek out externalassurance to provide comfort similar tothat derived from the financial audit.
When to actThe revised Code applies toaccounting periods beginningon or after 1 October 2014.Companies should takeappropriate actions, whererequired, to improve theirsystems prior to the start of thefinancial year for which theyneed to comply.Here are some examples of when to act:You are not confident about the qualityor robustness of your ERM system.You have been susceptible to undesirable surprisesor are continuously firefighting.You are uncertain how your risk appetite can bepractically articulated and add value.Conduct and behavioural failures have occurred inyour organisation and their root causes are unclear.What good looks likeHow we can helpWhat you gainWhile there is no onesize-fits-all approach, thefollowing principles willhelp you ensure the rightbuilding blocks arein place:Drawing on our experience with someof the world’s leading organisationsof developing and embeddingnumerous ERM systems, and ourinnovative approach to measuring andstrengthening culture, we can help yousatisfy both the word and spirit of theCode. Typical areas of support include:In addition to compliance with the Code,you can expect to realise the followingbenefits from investing in developmentof your ERM capability.The board visibly promotes andsupports, both in word and spirit,the importance of effective riskmanagement.Risk management is whollyintegrated into group businessplanning and strategic decisionmaking.A formal definition andarticulation of your risk appetitefor all major risk areas exists,providing practical guidance onacceptable risk and reward. Conducting maturity and effectivenessreviews of your current ERM systemand peer group benchmarking toidentify areas of good practice andthose requiring development Developing practical, principlesbased ERM frameworks or enhancingspecific risk management componentssuch as quantification and stresstesting Facilitating definition of risk appetiteto practically articulate your desiredrisk taking approachRobust analysis of riskinformation, focusing challengeand resource on critical risk areasis undertaken. Crafting informative disclosuresthat balance evidencing therequired assurances with protectingcompetitive positioningAn embedded early warningsystem provides timely awarenessof changes in control effectivenessand material areas of risk. Defining robust key risk indicators(KRIs) and deploying technologybased early warning risk monitoringsolutions that address the commonresourcing and cost challengesAn understanding exists of thedrivers of desired behaviours andthe alignment of performanceand incentivisation structures.Transparent risk disclosures thatbalance stakeholder insight withprotecting competitive advantageare undertaken. Bringing behaviours to life,understanding what drives them, andfacilitating their measurement to helporganisations successfully cultivateand embed the desired risk cultureand mindsetEnhanced insightEarly and more accurate visibility ofchanges in the risk landscape in areasthat could materially impact corporateobjectives, facilitating more timely andinformed management intervention.Better decisionsIncreased awareness and understandingof the board’s desired risk and rewardtrade-offs, driving decision makingconsistency throughout the organisation.Superior performanceIdentifying and embedding thebehaviours that generate competitiveadvantage, and the agility and flexibilityneeded to anticipate change andcapitalise on opportunities.Increased stakeholder trustand confidenceReduced performance volatility andincreased consistency in deliveringobjectives, which, combined withgreater levels of transparency, engendersstakeholder confidence and potentiallyenhanced valuations.
Changing yourperspectiveThe revised Code does notcreate onerous new compliancerequirements; rather, itprovides a platform for leadingorganisations to differentiatethemselves.History consistently shows thatorganisations that fail toeffectively manage risk, oftenthemselves fail.What sort of case study doyou want to be?
Delivering valueOur deep technical expertise developingpractical systems of risk management,a track record of successful projectdelivery with leading organisations,and experience shaping corporatedisclosures, allow us to provideinvaluable support in helping clientsderive real value from their riskmanagement activities, as well assatisfying Code requirements.Contact:Simon [email protected] 44(0)20 7213 4242Case study: risk appetite definitionOur client was decentralising its decisionmaking authority and the board wantedto ensure its business units consistentlytook the right risks for the right returns.Having determined the organisation’skey objectives, stakeholders and riskprofile, we identified core decisionpoints where risk-taking guidancewould be valuable. Building onexisting articulations where possible,we drafted a group level appetitestatement, incorporating metrics topromote measurability. The engagementchallenged management and the boardto explicitly consider their appetitefor specific risks and promoted theawareness and value of risk managementthroughout the organisation.Matt [email protected] 44(0)20 7804 1417Case study: embedding appropriateculture and behavioursWe have developed comprehensivecultural assessment and measurementapproaches to enable banks to effectivelymonitor their behaviours. One of ourclients had recently conducted a majorbehavioural change programme and wewere engaged to review its design andoperational effectiveness; providingcomfort to management and theregulator that the required change wasoccurring. Our work included testing keycontrols to ensure that the right peopleare recruited, promoted and trained, andthat consistent values and behavioursare embedded across the business.Richard [email protected] 44(0)20 7804 5466www.pwc.co.ukThis publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained inthis publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information containedin this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty ofcare for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to the UK member firm, and may sometimes refer to the PwC network. Each member firmis a separate legal entity. Please see www.pwc.com/structure for further details.140929-173752-AJ-OS
the importance of effective risk management. Risk management is wholly integrated into group business planning and strategic decision making. A formal definition and articulation of your risk appetite for all major risk areas exists, providing practical guidance on acceptable risk and reward. Robust analysis of risk information, focusing challenge